Good point, I can add a NEWS item and perhaps add this to the next stable release notes.
Ondřej -- Ondřej Surý (He/Him) > On 21. 7. 2024, at 15:12, Etienne Dechamps <[email protected]> wrote: > > Package: bind9 > Version: 1:9.19.24-185-g392e7199df2-1 > > Version 1:9.19.24-185-g392e7199df2-1 of the bind9 package includes this > change: > > https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9046 > > Which changes the default ACL for zone transfers (allow-transfer) from > "allow by default" to "deny by default". > > While I think this change makes sense in and of itself from a security > perspective, it has the potential to cause widespread breakage to > existing setups that may accidentally rely on zone transfers being > allowed by default - this is what happened to me when I updated. > > What makes this worse is zone transfer breakage can easily go > unnoticed initially since it only affects secondaries. Operators may > end up finding out their secondaries don't work at the worst possible > time - again, speaking from experience here. > > It may be worth taking steps to reduce the likelihood of breaking > existing setups before this change percolates down to testing and > stable. For example, displaying some kind of big warning on package > update. >
